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CLAIMS 



A security system for controlling access to one or more 
application functions located on a server or accessible 
via server, each application function having an 
associated security level, wherein one or more clients 
communicate with said server by means of requests for 
accessing one of said application functions using a 
network, wherein access to said application functions is 
controlled by security requirements, comprising: 

an authentication component functionally separated from 
said clients and said application functions for 
processing said client request independently of said 
client type, containing more than one authentication 
mechanisms and selecting and executing an authentication 
mechanism from said more than one authentication 
mechanisms based on the information contained in the 
client request resulting in a security state; 

a security component containing a security policy 
describing security requirements (security level) for 
accessing application functions, comparing said security 
state associated with said client with the security level 
of the application function and allowing access to the 
application function if the security state fulfills the 
security level. 



A system according to claim 1, wherein said clients are 
PVC-devices . 
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33. a syst^u according to claim 1, wherein said 

4 authentication component and said security component are 

5 integrated in one component stored on a server. 

14. a system according to claim 1, whereby said 

2 authentication component consists of security plug-ins 

3 whereby each authentication mechanism is laid down in a 

4 separate security plug- in. 

15. a system according to claim 4, whereby the authentication 

2 mechansim may be UserlD/Password, Challenge/Response or 

3 digital signature. 

P 

|j 6. A system according to 2 further comprising: 

a 

a component (ADL) for converting PVC-device specific 

jji requests into canonical requests before said request is 

\ used by said authentication component. 
U 

W 

p 3 7. A method for controlling access to one or more 

gf application functions stored on a server or accessible 

3 via server, each application function having an 

4 associated security level, wherein one or more clients 

5 communicate with said server by means of requests for 

6 accessing one of said application functions using a 

7 network, whereby access to said application functions is 

8 controlled by a security requirements, comprising the 

9 steps of: 



10 
11 



routing all incoming requests created by said clients to 
an authentication component which is functionally 
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indepeS^nt from said clients and saHT application 
functions, said authentication component comprising the 
steps of: 

authentication of said client by determining an 
authentication mechanism provided by said authentication 
component by means of authentication information 
contained in said request and applying said 
authentication mechanism; 

storing a result of said authentication and said 
authentication information or parts of it contained in 
said request as a security state; 

using security requirements for said one of said 
application functions to be accessed; 

comparing said stored security state with said security 
requirements for accessing the requested application 
function ; and 

invoking said requested application function if said 
security state fulfills said security requirements. 

A method according to claim 7 wherein said incoming 
requests are canonical requests. 

A method according to claim 8 wherein said canonical 
requests are created by a Device Adaptation Layer which 
converts client specific requests into canonical 
requests . 
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• V 

1 10. A method according to claim 7 comprising the further 

2 steps of: 

3 creating a session identifier when establishing a 

4 communication between a client and a server and using 

5 said session identifier in all requests and responses 

6 between said client and said server. 

1 11. a method according to claim 10 whereby said session 

2 identifier and said security state are placed in a 

3 cookie, whereby said cookie is inserted into each 

4- request and response between said client and said server. 

Si 

m 

ft* 12 . A method according to claim 7 wherein said clients are 

0 . ■ 

2s PVC-devices. 

iff 

si 13 . A computer program comprising computer program code 

P 

gl portions for performing respective steps of the method 

^ according to claim 7 to 12 when the program is executed 

in a computer. 

1 14 . A computer program product stored on a computer- readable 

2 media containing software code for performing of the 

3 method according to one of the claim 7 to 12 if the 

4 program product is executed on the computer. 

1 15. A client-server system, wherein one or more clients, 

2 having client types, communicate with a server by means 

3 of requests for accessing application functions located 

4 on or accessible via said server, wherein access to said 
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5 appliclKon functions is controlled a security system 

6 located on said server, wherein said security system 

7 comprises: 

8 an authentication component, functionally separated from 

9 said one or more clients and said application functions 

10 for processing client requests independently of client 

11 type, containing one or more authentication mechanisms 

12 and selecting and executing an authentication mechanism 

13 from said authentication mechanisms based on the 

14 information contained in the client request, resulting in 

15 a security state; 
16] 

\f* a security component containing a security policy 

18* describing security requirements (security level) for 

□ 

lgj accessing application functions, comparing said security 

2&! state associated to a client with the security level of 

21 the application function and allowing access to the 

□ 

2&j specified application function if the security state 

2g% fulfills the security level. 



